two-factor icon indicating copy to clipboard operation
two-factor copied to clipboard

Published 20 hours ago verified publisher icon WordPress

Use site_url() for the FIDO U2F AppId

Open onliniak opened this issue 5 years ago • 5 comments

Priority: Low, I use very rarely use option.

I propably find a error. I use TF 0.3, WP 5.0.3, Firefox 65, Yubikey 4 and Nginx.

When I select this same urls like example.com and example.com all works but if my site url is example.com and my blog url (WP admin and WP login) is abc.123.xyz I am not able to login. abc.123.xyz/wp-login show destroy session error and Firefox don't show fingerprint icon.

onliniak avatar Feb 08 '19 16:02 onliniak

Is that with the U2F key? The U2F protocol relies on the AppId which we set to the home_url() here:

https://github.com/georgestephanis/two-factor/blob/f33778a5f72a08550cc7f25ab93f67bfd44c7c1d/providers/class.two-factor-fido-u2f.php#L90-L98

And per home_url() docs:

Retrieves the URL for the current site where the front end is accessible.

So site_url() would actually be more appropriate.

However, it has been like that for the past four years https://github.com/georgestephanis/two-factor/commit/b5df9bac4e1c255c661407eb70568ad141df6bda and it could introduce a regression if we change it right now.

Maybe add a filter to allow changing that?

kasparsd avatar Feb 08 '19 20:02 kasparsd

Yes, U2F key. By the way I find similar problem with OpenID plugin (I am stuck after login with message "put key" but without fingerprint icon).

I understand, anyway it's extremal situations. Closed.

onliniak avatar Feb 09 '19 00:02 onliniak

However, it has been like that for the past four years b5df9ba and it could introduce a regression if we change it right now.

In most cases the home_url() and site_url() are probably the same. In cases where they're not, this is almost certainly broken right now. It seems unlikely that fixing this will cause more problems.

joshbetz avatar Feb 11 '19 15:02 joshbetz

@joshbetz I agree! I know WP VIP has home_url() return the top-level domain and site_url() return the *.wordpress.com domain.

Let's get this fixed.

kasparsd avatar Feb 11 '19 16:02 kasparsd

So, by coincidence, I pointed to a possible problem with wordpress.com? Good to know ...

onliniak avatar Feb 14 '19 20:02 onliniak

U2F is deprecated and no longer works in Chrome, so the provider is being removed in #439 . Given that, there's probably no reason to keep this open anymore.

iandunn avatar Oct 20 '22 14:10 iandunn